Hi Stephan, > I like this draft but I'm a little bit concerned about the scalability. > How will a busy parent provision a unique secret key for each of the > child? Do you mean the scalability for capacity on the update server side? Although BIND might not be able to scale this out of the box, the example has only been given in the draft to have a hands-on way for ppl to try this draft.
In reality it should not be a major issue to receive those DNS updates and process them (with or without signatures) - similar efforts are currently made for each request to change NS-sets on the parent (admittedly those might happen less frequent). > And how will this key be transported between the parent and the > child in a secure way? The same way a parent is currently providing a domain owner with credentials for their management interfaces. If a domain owner has specific requirements in terms of security on that channel it is something where registrars can offer whatever their customers demand. Regards, Wolfgang _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
